docs: fix adequacy for state invariant-style WP

docs/program-logic.tex

@@ -340,33 +340,31 @@ The purpose of the adequacy statement is to show that our notion of weakest prec
 There are two properties we are looking for: First of all, the postcondition should reflect actual properties of the values the program can terminate with.
 Second, a proof of a weakest precondition with any postcondition should imply that the program is \emph{safe}, \ie that it does not get stuck.
 
-To express the adequacy statement for functional correctness, we assume we are given some set $V \subseteq \Val$ of legal return values.
-Furthermore, we assume that the signature $\Sig$ adds a predicate $\pred$ to the logic which reflects $V$ into the logic:
+\begin{defn}[Adequacy]
+  A program $\expr$ in some initial state $\state$ is \emph{adequate} for a set $V \subseteq \Val$ of legal return values ($\expr, \state \vDash V$) if for all $\tpool', \state'$ such that $([\expr], \state) \tpstep^\ast (\tpool', \state')$ we have
+\begin{enumerate}
+\item Safety: For any $\expr' \in \tpool'$ we have that either $\expr'$ is a
+  value, or \(\red(\expr'_i,\state')\):
+  \[ \All\expr'\in\tpool'. \toval(\expr') \neq \bot \lor \red(\expr', \state') \]
+  Notice that this is stronger than saying that the thread pool can reduce; we actually assert that \emph{every} non-finished thread can take a step.
+\item Legal return value: If $\tpool'_1$ (the main thread) is a value $\val'$, then $\val' \in V$:
+  \[ \All \val',\tpool''. \tpool' = [\val'] \dplus \tpool' \Ra \val' \in V \]
+\end{enumerate}
+\end{defn}
+
+To express the adequacy statement for functional correctness, we assume that the signature $\Sig$ adds a predicate $\pred$ to the logic which reflects the set $V$ of legal return values into the logic:
 \[\begin{array}{rMcMl}
   \Sem\pred &:& \Sem{\Val\,} \nfn \Sem\Prop \\
   \Sem\pred &\eqdef& \Lam \val. \Lam \any. \setComp{n}{v \in V}
 \end{array}\]
 The signature can of course state arbitrary additional properties of $\pred$, as long as they are proven sound.
-
 The adequacy statement now reads as follows:
 \begin{align*}
- &\All \mask, \expr, \val, \pred, \state, \state', \tpool'.
- \\&( \ownPhys\state \proves \wpre{\expr}[\mask]{x.\; \pred(x)}) \Ra
- \\&\cfg{\state}{[\expr]} \step^\ast
-     \cfg{\state'}{[\val] \dplus \tpool'} \Ra
-     \\&\val \in V
-\end{align*}
-
-The adequacy statement for safety says that our weakest preconditions imply that every expression in the thread pool either is a value, or can reduce further.
-\begin{align*}
- &\All \mask, \expr, \state, \state', \tpool'.
- \\&(\All n. \melt \in \mval_n) \Ra
- \\&( \ownPhys\state \proves \wpre{\expr}[\mask]{x.\; \pred(x)}) \Ra
- \\&\cfg{\state}{[\expr]} \step^\ast
-     \cfg{\state'}{\tpool'} \Ra
-     \\&\All\expr'\in\tpool'. \toval(\expr') \neq \bot \lor \red(\expr', \state')
+ &\All \mask, \expr, \val, \pred, \state.
+ \\&( \TRUE \proves {\upd}_\mask \Exists S. S(\state) * \wpre{\expr}[\mask]{x.\; \pred(x)}) \Ra
+ \\&\expr, \state \vDash V
 \end{align*}
-Notice that this is stronger than saying that the thread pool can reduce; we actually assert that \emph{every} non-finished thread can take a step.
+Notice that the state invariant $S$ used by the weakest precondition is chosen \emph{after} doing a fancy update, which allows it to depend on the names of ghost variables that are picked in that initial fancy update.
 
 \paragraph{Hoare triples.}
 It turns out that weakest precondition is actually quite convenient to work with, in particular when perfoming these proofs in Coq.